Thai government officials have become the focus of a sophisticated cyber campaign deploying a new backdoor, dubbed Yokai, using DLL side-loading techniques.
According to Nikhil Hegde, Senior Engineer at Netskope's Security Efficacy team, "The Yokai backdoor isn't exclusive to Thai officials and can be deployed against any potential target. However, the nature of the lures indicates a clear focus on Thailand."
Attack Chain Initiation
The campaign begins with a RAR archive containing two malicious Windows shortcut files named in Thai, translating to:
"United States Department of Justice.pdf"
"United States government requests international cooperation in criminal matters.docx."
While the exact delivery mechanism remains unconfirmed, Hegde suggests spear-phishing emails as the likely initial vector, given the RAR archive's nature and previous phishing campaign patterns.
The Role of Decoy Files
When these shortcut files are executed, two legitimate-looking documents—a PDF and a Microsoft Word file—are launched to divert attention. Simultaneously, a malicious executable runs silently in the background. Notably, the documents reference Woravit Mektrakarn, a Thai national wanted in the U.S. for a 2003 murder case involving a missing Mexican immigrant.
Payload Deployment: DLL Side-Loading
The malicious executable drops three files onto the system:
IdrInit.exe – A legitimate binary from iTop Data Recovery software.
ProductStatistics3.dll – A malicious DLL file.
DATA file – Contains data transmitted to an attacker-controlled server.
The executable abuses IdrInit.exe to sideload the malicious DLL, enabling the Yokai backdoor to establish persistence on the compromised host. Once deployed, Yokai connects to a Command-and-Control (C2) server, allowing attackers to execute shell commands via cmd.exe.
Rising DLL Side-Loading Campaigns and NodeLoader Attacks
The discovery of the Yokai backdoor comes amidst another campaign uncovered by Zscaler ThreatLabz, which leverages Node.js-compiled executables to distribute malware, including:
XMRig – A cryptocurrency miner.
Lumma and Phemedrone Stealer – Information stealers.
Attackers use malicious links embedded in YouTube video descriptions to redirect users to fake websites or MediaFire-hosted ZIP archives disguised as video game cheats. Downloading and extracting the files triggers NodeLoader, a Node.js-based payload downloader.
NodeLoader's Infection Process
Stage 1: NodeLoader fetches a PowerShell script.
Stage 2: The PowerShell script executes the final malware payload.
Notably, NodeLoader uses sudo-prompt, a publicly available privilege escalation module from GitHub and npm, while employing anti-evasion techniques to bypass detection.
Remcos RAT: A Persistent Phishing Threat
Additionally, recent phishing attacks have witnessed a surge in the deployment of the Remcos Remote Access Trojan (RAT) through revamped infection chains.
Two Key Variants:
Visual Basic Scripts (VBS): A VBS file executes a highly obfuscated PowerShell script that ultimately injects Remcos RAT into RegAsm.exe, a legitimate Microsoft .NET executable.
Office Open XML Documents: These documents load an RTF file exploiting CVE-2017-11882 (Microsoft Equation Editor vulnerability) to trigger a VBS script. The VBS then fetches PowerShell to inject the RAT payload into RegAsm.exe memory.
Both approaches emphasize fileless execution, avoiding disk-based storage to evade traditional antivirus solutions.
Proactive Defense Measures
As these advanced malware campaigns evolve—leveraging techniques like DLL side-loading, phishing, and fileless execution—the need for proactive cybersecurity strategies becomes paramount.
McAfee Labs researchers highlight the increasing danger, stating, "With attackers continuing to exploit phishing emails and malicious attachments, implementing robust security measures is no longer optional—it’s critical."
Key Takeaways:
Yokai Backdoor uses DLL side-loading to target Thai officials, potentially expanding to global targets.
NodeLoader campaigns exploit YouTube links to deliver malware like XMRig and Lumma Stealer.
Remcos RAT resurfaces with fileless techniques and sophisticated multi-stage delivery.